There is a requirement to send Audit and Security logs to a SIEM.

VMware Aria Operations for Logs 8.18.x

Customization of SIEM filtering logic and specific event selection of this type falls outside the standard scope of Global Services support.

The following is a basic list of vCenter audit-related events. 

1. Authentication and Session Events

• UserLoginSessionEvent: Successful login.

• BadUsernameSessionEvent: Failed login (bad username/password).

• UserLogoutSessionEvent: Explicit logout.

• AlreadyAuthenticatedSessionEvent: Re-authentication of an existing session.

2. Authorization and Permission Modifications

• PermissionAddedEvent: A new permission was granted to a user or group.

• PermissionUpdatedEvent: Existing permission modified.

• PermissionRemovedEvent: Permission revoked.

• RoleAddedEvent: A new custom role was created.

• RoleUpdatedEvent: Privileges modified on a role.

• RoleRemovedEvent: Role deleted.

3. Host State and Configuration

• HostConnectedEvent: Host added or reconnected to vCenter.

• HostDisconnectedEvent: Host lost connection to vCenter.

• EnteredMaintenanceModeEvent: Host placed into maintenance mode.

• ExitMaintenanceModeEvent: Host removed from maintenance mode.

4. Virtual Machine Lifecycle and Security

• VmCreatedEvent: VM deployed from scratch.

• VmRemovedEvent: VM deleted from disk.

• VmReconfiguredEvent: VM hardware or settings changed (e.g., adding a NIC, altering a port group, modifying CPU/RAM).

• VmPoweredOnEvent: VM started.

• VmClonedEvent: VM duplicated.

Please ensure basic network connectivity between the Operations for Logs instance and the SIEM. A 'curl' command will confirm this.

• curl -v telnet://<SIEM_FQDN>:<PORT>